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DETAILED ACTION 

Continued Examination Under 37 CFR 1.114 

A request for continued examination under 37 CFR 1.114, including the fee set forth in 
37 CFR 1.17(e), was filed in this application after final rejection. Since this application is 
eligible for continued examination under 37 CFR 1.1 14, and the fee set forth in 37 CFR 1.17(e) 
has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 
37 CFR 1.1 14. Applicant's submission filed on 02/09/09 has been entered. 

Priority 

Receipt is acknowledged of papers submitted under 35 U.S.C. 119(a)-(d), which papers 
have been placed of record in the file. 

Oath/Declaration 

The oath or declaration is defective. A new oath or declaration in compliance with 37 
CFR 1.67(a) identifying this application by application number and filing date is required. See 
MPEP§§ 602.01 and 602.02. 

The oath or declaration is defective because: 

The specification to which the oath or declaration is directed has not been adequately 
identified. See MPEP § 602. 

The oath incorrectly identifies the specification as being directed to 
PCT/SE2003/006021, when in fact in should be PCT/IB03/06021. 
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Drawings 

The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they 
do not include the following reference sign(s) mentioned in the description: 

"The safety-hardware unit 1 1 comprises communication means to communicate with the 
Controller's CPU via a bus 14" mentioned on pg. 6 lines 16-18 is not depicted in the Figures. 

Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to 
the Office action to avoid abandonment of the application. Any amended replacement drawing 
sheet should include all of the figures appearing on the immediate prior version of the sheet, 
even if only one figure is being amended. Each drawing sheet submitted after the filing date of 
an application must be labeled in the top margin as either "Replacement Sheet" or "New Sheet" 
pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will 
be notified and informed of any required corrective action in the next Office action. The 
objection to the drawings will not be held in abeyance. 

The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they 
include the following reference character(s) not mentioned in the description: reference character 
9 depicted in Fig. 4. Corrected drawing sheets in compliance with 37 CFR 1.121(d), or 
amendment to the specification to add the reference character(s) in the description in compliance 
with 37 CFR 1.121(b) are required in reply to the Office action to avoid abandonment of the 
application. Any amended replacement drawing sheet should include all of the figures appearing 
on the immediate prior version of the sheet, even if only one figure is being amended. Each 
drawing sheet submitted after the filing date of an application must be labeled in the top margin 
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as either "Replacement Sheet" or "New Sheet" pursuant to 37 CFR 1.121(d). If the changes are 
not accepted by the examiner, the applicant will be notified and informed of any required 
corrective action in the next Office action. The objection to the drawings will not be held in 
abeyance. 
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Claim Rejections - 35 USC § 112 

The following is a quotation of the first paragraph of 35 U.S. C. 112: 

The specification shall contain a written description of the invention, and of the manner and process of making 
and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it 
pertains, or with which it is most nearly connected, to make and use the same and shall set forth the best mode 
contemplated by the inventor of carrying out his invention. 

Claims 1-3 and 5-20 are rejected under 35 U.S.C. 112, first paragraph, as failing to 
comply with the written description requirement. The claim(s) contains subject matter which 
was not described in the specification in such a way as to reasonably convey to one skilled in the 
relevant art that the inventor(s), at the time the application was filed, had possession of the 
claimed invention. 

Claims 1-3 and 14-16 recite the limitation "single safety controller". There is no support 
in the original disclosure for this limitation. These limitations should be changed back to "single 
controller". 

Claims 5-13 and 17-20 depend from claims 1 and 15 and incorporate the same 
deficiencies. 
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The following is a quotation of the second paragraph of 35 U.S.C. 1 12: 

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the 
subject matter which the applicant regards as his invention. 

Claims 10-12 and 14 are rejected under 35 U.S.C. 112, second paragraph, as being 
indefinite for failing to particularly point out and distinctly claim the subject matter which 
applicant regards as the invention. 

Claims 10-12 depend from a cancelled claim. 

Claim 14 recites the limitation "the redundant controller unit" in line 1. There is 
insufficient antecedent basis for this limitation in the claim. 
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Claim Rejections - 35 USC §102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(b) the invention \v;is patented or described in a printed publication in this or a foreign country or in public use or on 
sale in this country, more than one year prior to the date of application for patent in the United States. 

Claims 1-3 and 5-20 are rejected under 35 U.S.C. 102(b) as being anticipated by Andreas 
Schenk. "SIMATIC S7-400F/FH: Safety-Related Programmable Logic Controller". 
SAFECOMP 2000, LNCS 1943 (2000): 286-293. 

Schenk discloses: 

1 . A method to increase a safety integrity level of a single safety controller for control of 
real world objects, the method comprising: 

attaching to the single controller (e.g., Fig. 1: "1 standard CPU 417-4H") a safety- 
hardware unit (e.g., Fig. 1: "fail-safe I/O module") wherein the safety-hardware unit 
communicates with a central processing unit of the single controller, 

connecting a bus (e.g., Fig. 1: "PROFIBUS") to the single safety controller (e.g., Fig. 1: 
"1 standard CPU") and connecting an input/output unit to the bus (e.g., Fig. 1, pg. 287: "Safety- 
related input from and output to the process are done with special fail-safe I/O modules"), 

downloading safety-related configuration data and/or diagnostic information to the 
attached safety-hardware unit (e.g., pg. 288: "The fail-safe I/O modules are configured with the 
standard hardware configuration tool", pg. 287: "external fault diagnostics") and downloading a 
control function software to the single controller (e.g. Fig. 1, pg. 291: "not safety-related 
application program"), 
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configuring the attached safety-hardware unit to execute logic, which depends on the 
downloaded safety-related configuration data and/or diagnostic information (e.g., pg. 288: "The 
fail-safe I/O modules are configured with the standard hardware configuration tool", pg. 287: 
"The fail-safe I/O modules provide an internal loo2 structure with comparison, self-tests and 
external fault diagnostics"), 

actively or passively setting output values of the single controller to a safe state for online 
safety control (e.g., Fig. 1, pg. 287: "Safety-related input from and output to the process are done 
with special fail-safe I/O modules'"), 

obtaining access to a plurality of input and output values of a real world object through 
the bus (e.g., Fig. I, pg. 287: "Safety-related input from and output to the process are done with 
special fail-safe I/O modules"), and 

verifying a validity of the bus communication with the attached safety hardware unit 
(e.g., pg. 290: "the checksums of the safety telegrams sent are invalid and fault detection and 
reaction is done by the recipients of safety telegrams, i.e., fail-safe output modules"). 

2. The method according to claim 1, wherein the single safety controller has the 
capability of executing a set of non-safety critical control functions, which set of non-safety 
critical control functions is the same before as well as after the safety hardware unit is attached 
(e.g. pg. 291: "Safety-related and not safety-related application program can be processed by the 
same CPU"). 

3. The method according to claim 2, wherein the configuring comprises: 
downloading to the attached safety hardware unit diagnostic information, which 

previously was automatically generated by a software tool as a result of user's configuration of 
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the single safety controller and which diagnostic information is used in the attached safety 
hardware unit during safety critical control (e.g., pg. 288: "The fail-safe I/O modules are 
configured with the standard hardware configuration tool", pg. 287: "external fault diagnostics"). 

5. The method according to claim 1, wherein the timing supervision of the controller 
is verified in the attached safety hardware unit (e.g., pg. 289: "Cycle time is checked. . .indirectly 
by the recipients of safety telegrams waiting for a new sequence number in the safety telegram"). 

6. The method according to claim 1, wherein correct sequence of code logic is 
verified in the attached safety hardware unit (e.g., pg. 289: "Cycle time is checked. . .indirectly by 
the recipients of safety telegrams waiting for a new sequence number in the safety telegram"). 

7. The method according to claim 1, wherein correctness of memory content of the 
controller is verified in the attached safety hardware unit (e.g., pg. 290: "Self-tests include SP7- 
ASIC, RAM and CRC of code blocks and operating system"). 

8. The method according to claim 1, wherein a download of new control 
functionality logic to the controller is verified in the attached safety hardware unit (e.g., pg. 290: 
"Self-tests include SP7-ASIC, RAM and CRC of code blocks and operating system"). 

9. The method according to claim 1, wherein the attached safety hardware unit 
performs checks in order to allow only users logged on as safety classified engineers and safety 
classified operators to modify the control functionality logic and parameters (e.g., pg. 290: 
"password"). 

10. The method according to claim 4, wherein the bus communication verification 
logic in the attached safety hardware unit is implemented diverse (e.g., pg. 290: "Comparison of 
the diverse results of the safety-related application program and fault reaction is done. . .indirectly 
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by the recipients of the safety telegrams sent by the safety-related application program, i.e., fail- 
safe output modules"). 

1 1 . The method according to claim 4, wherein the attached safety hardware unit is 
diverse generating a safety related header for the bus communication (e.g., pg. 290: "Comparison 
of the diverse results of the safety-related application program and fault reaction is 
done... indirectly by the recipients of the safety telegrams sent by the safety-related application 
program, i.e., fail-safe output modules", "This safety protocol is... implemented in the fail-safe 
I/O modules"). 

12. The method according to claim 1 1, wherein the input/output unit has two diverse 
implementations each verifying the correctness of the bus traffic and each generating a safety 
related header for the bus communication (e.g., pg. 290: "Comparison of the diverse results of 
the safety-related application program and fault reaction is done... indirectly by the recipients of 
the safety telegrams sent by the safety-related application program, i.e., fail-safe output 
modules", pg. 287: "This safety protocol is... implemented in the fail-safe I/O modules"). 

13. The method according to claim 1, wherein the attached safety hardware unit 
comprises a first and a second module in a redundant configuration, the second module is 
updated with data that exists first module at the time of a failure and the second module takes 
over the safety related control of the control system from the first module if a failure of the first 
module is detected (e.g., Fig. 5: "redundant fail-safe I/O modules"). 

14. The method according to claim 13, wherein the redundant controller unit is 
attached to the single safety controller, which takes over in case of a failure of a primary 
controller and the redundant controller unit establish communication with either the active first 
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module or the active second module of the attached safety hardware unit (e.g., Fig. 5: "redundant 
CPU417-4H"). 

15. A single or 1 -channel control system intended for safety-related control of real- 
world objects, comprising: 

a single main central processing unit handling main processes of a single safety controller 
(e.g., Fig. 1: "1 standard CPU 417-4H"), 

a safety-hardware unit (e.g., Fig. 1: "fail-safe I/O module") attached to said single safety 
controller (e.g., Fig. 1: "1 standard CPU 417-4H"), the safety-hardware unit comprising means to 
increase a safety-integrity level of the single safety controller and comprising means to set output 
values of the single safety controller in a safe state for online safety control (e.g., Fig. 1, pg. 287: 
"Safety-related input from and output to the process are done with special fail-safe I/O 
modules'"). 

16. The control system according to claim 15, wherein the safety controller has the 
capability of executing a set of non-safety critical control functions, which set of non-safety 
critical control functions is the same before as well as after the safety hardware unit is attached 
(e.g. pg. 291: "Safety-related and not safety-related application program can be processed by the 
same CPU"). 

17. The control system according to claim 16, further comprising: means for 
downloading to the attached safety hardware unit diagnostic information, which previously was 
automatically generated by a software tool as a result of user's configuration of the controller and 
which diagnostic information is used in the attached safety hardware unit during safety critical 
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control (e.g., pg. 288: "The fail-safe I/O modules are configured with the standard hardware 
configuration tool", pg. 287: "external fault diagnostics"). 

18. The control system according to claim 17, further comprising: 

an input/output unit (e.g., Fig. 1, pg. 287: "Safety-related input from and output to the 
process are done with special fail-safe I/O modules") connected to the controller by a bus (e.g., 
Fig. 1 : "PROFIBUS") and the validity of the bus communication is verified in the attached safety 
hardware unit (e.g., pg. 290: "the checksums of the safety telegrams sent are invalid and fault 
detection and reaction is done by the recipients of safety telegrams, i.e., fail-safe output 
modules"). 

19. The control system according to claim 18, wherein the bus communication 
verification logic in the attached safety hardware unit is implemented diverse (e.g., pg. 290: 
"Comparison of the diverse results of the safety-related application program and fault reaction is 
done... indirectly by the recipients of the safety telegrams sent by the safety-related application 
program, i.e., fail-safe output modules"). 

20. The control system according to claim 19, wherein the attached safety hardware 
unit is diverse generating a safety related header for the bus communication (e.g., pg. 287: "This 
safety protocol is. . .implemented in the fail-safe I/O modules"). 
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Response to Arguments 

Applicant's arguments filed 02/09/09 have been fully considered but they are not 
persuasive. However, the rejection of claims 1-20 under 35 U.S.C. 102(e) as being anticipated 
by Scott et al. US 6,975,966 is being withdrawn since the effective filing date of Scott et al. does 
not beat the foreign priority date of the instant application, which is 12/19/02. The foreign 
priority document of the instant application was published in English. The bib data sheet is 
being updated to reflect this foreign priority date. 
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Conclusion 

The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. 

Barthel et al. US 7,337,369 discloses microprocessor-controlled field device for 
connection to a field bus system. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to RYAN A. JARRETT whose telephone number is (571)272-3742. 
The examiner can normally be reached on 10:00-6:30 M-F. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Albert Decady can be reached on (571) 272-3819. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Ryan A. Jarrett/ 

Primary Examiner, Art Unit 2121 

03/08/09 



